How We Helped an Austrian Company Recover 10TB from SafePay Ransomware

Earlier this month, we were contacted by the IT lead of a mid-sized industrial firm based in Linz, Austria. Their organization had just suffered a massive ransomware attack, and all signs pointed to the SafePay ransomware variant—identifiable by the .safepay file extension and the ransom note readme_safepay.txt.

In total, the company had over 10 terabytes of data encrypted, affecting Windows servers, shared drives, and several production systems. The attack had completely frozen operations, causing significant downtime and business disruption.


First Contact and Initial Assessment

The IT investigator reached out to us via WhatsApp, having come across our website and reading about successful recoveries involving the SafePay Decryptor. After a quick conversation, we asked them to share a few sample encrypted files so we could verify compatibility.

They sent us three PDF files, each of which had been encrypted by the ransomware. We ran these samples through our internal verification process on our main server, where we maintain dedicated tools for SafePay-related cases.

Within minutes, we decrypted the files successfully.

To demonstrate that recovery was possible, we took screenshots of the decrypted PDFs alongside their encrypted versions and sent them back to the client as proof.


Proposal and Approval

After seeing the decrypted PDFs, the client’s team presented our solution to their management. We quoted them 0.10 BTC for a full recovery, including the decryptor, user instructions, and support. The next day, the payment was confirmed, and we immediately began generating their custom decryptor.

proof of payment 0.10 btc

Delivery and Deployment

Within 30 minutes of payment confirmation, we emailed the client:

  • The SafePay Decryptor
  • A step-by-step usage guide
  • Instructions on how to use the Device ID from the ransom note for authentication

The decryptor was designed to connect to our online recovery servers, which allowed us to bypass the encryption logic used by the ransomware. We advised the client to deploy the decryptor on an isolated machine first, to ensure a smooth and secure process.


Successful Recovery

The decryption process was launched the same day. The IT team reported that everything ran smoothly. Over the next 5–6 hours, they were able to decrypt all 10TB of affected data without any corruption or loss.

Key assets recovered included:

  • Financial documents
  • HR files
  • Engineering CAD drawings
  • Internal project records
  • Licensing and compliance documents

By the end of the day, their systems were back online, and their production resumed.


Client Feedback

The next morning, we followed up via WhatsApp to check how things went.

case study feedback

Similar Posts

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.